Re: [Full-Disclosure] wms.exe on win2k?

[David]

S G Masood wrote:
--- JTBurn <[EMAIL PROTECTED]> wrote:


I think it's a typicall form of an XDCC-BoT.
that means: they hacked your pc and installed
a script from which the persons from the channel
can get warez or moviez and so one from your
pc.
--
cu,
JTBurn


Hello,

I think you are right. In the irc servers mentioned in
the original post, there is a warez trading channel
called "#isozone" and as the original poster
Actually it's #iso-zone and I think their control channel was #okie as 
someone mentioned before. #okie looks like it was closed down (only 2 
people left in it, looks like some were moved to #test0r) and #iso-zone 
looks like they are having a lack of warez sharing bots.

10:36 [ctcp([iZ]-iSo-ZonE0074)] VERSION
10:36 CTCP VERSION reply from [iZ]-iSo-ZonE0074: Xans XDCC Bot 0.51
Here is a quick scan of some infected machines (if these are the same bots).

10:32 ***          * [iZ]-iSo-ZonE0043 H   3 
[EMAIL PROTECTED] "IsoZone"
10:32 ***          * [iZ]-iSo-ZonE0004 H   3 
[EMAIL PROTECTED] "IsoZone"
10:32 ***    #test0r [iZ]-iSo-ZonE0001 H   3 
[EMAIL PROTECTED] "IsoZone"
10:32 ***    #test0r [iZ]-iSo-ZonE0011 H   3 
[EMAIL PROTECTED] "IsoZone"
10:32 ***    #test0r [iZ]-iSo-ZonE0062 H   3 
[EMAIL PROTECTED] "IsoZone"
10:32 ***          * [iZ]-iSo-ZonE0086-OutOfOrder H   3 
[EMAIL PROTECTED] "IsoZone"
10:32 ***    #test0r [iZ]-LeechMe-v2 H   3 
[EMAIL PROTECTED] "IsoZone"
10:32 ***          * [iZ]-iSo-ZonE0056 H   3 
[EMAIL PROTECTED] "IsoZone"
10:32 ***    #test0r [iZ]-iSo-ZonE0007 H   0 
[EMAIL PROTECTED] "IsoZone"
10:32 ***    #test0r [iZ]-iSo-ZonE0003 H   3 
[EMAIL PROTECTED] "IsoZone"
10:32 ***    #test0r [iZ]-iSo-ZonE0002 H   0

[EMAIL PROTECTED] "IsoZone"
10:32 ***    #test0r [iZ]-iSo-ZonE0025 H   1 
[EMAIL PROTECTED] "IsoZone"
10:32 ***          * [iZ]-iSo-ZonE0064 H   3 
[EMAIL PROTECTED] "IsoZone"
10:32 ***    #test0r [iZ]-iSo-ZonE0010 H   3 
[EMAIL PROTECTED] "IsoZone"
10:32 ***          * [iZ]-iSo-ZonE-0100 H   3 
[EMAIL PROTECTED] "IsoZone"
10:32 ***          * [iZ]-iSo-ZonE0036 H   3 
[EMAIL PROTECTED] "IsoZone"
10:32 ***          * [iZ]-iSo-ZonE0068 H   3 
[EMAIL PROTECTED] "IsoZone"
10:32 ***    #test0r [iZ]-iSo-ZonE0008 H   3 
[EMAIL PROTECTED] "IsoZone"
10:32 ***          * [iZ]-iSo-ZonE0030 H   1 
[EMAIL PROTECTED] "IsoZone"
10:32 ***    #test0r [iZ]-iSo-ZonE0009 H   3 
[EMAIL PROTECTED] "IsoZone"
10:32 ***          * [iZ]-iSo-ZonE0021 H   3 
[EMAIL PROTECTED]
                     "IsoZone"
10:32 ***          * [iZ]-iSo-ZonE0031EU H   3 
[EMAIL PROTECTED] "IsoZone"
10:32 ***          * [iZ]-iSo-ZonE0032 H   3 
[EMAIL PROTECTED] "IsoZone"
10:32 ***  #iso-zone [iZ]-UtilServer H   0 
[EMAIL PROTECTED] "IsoZone"
10:32 ***  #iso-zone [iZ]-iSo-ZonE0027 H   3 
[EMAIL PROTECTED] "IsoZone"
10:32 ***  #iso-zone [iZ]-iSo-ZonE0074 H   0 
[EMAIL PROTECTED] "IsoZone"
10:32 *** End of /WHO list


mentioned, "the user name is IsoZone and the credit
line reads iSoZoNE WAS H3R3". So, your PC is being
used to serve illegal warez to people. Even though it
is not your fault, it can get you in trouble with the
law.
--
S.G.Masood
__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html